Actively Exploited SQL Injection in FortiClient EMS

ⓘ  We are reaching out to let you know that a critical, actively exploited vulnerability has been identified in Fortinet’s FortiClient EMS platform.

Attention constituent:

A vulnerability has been discovered in Fortinet’s FortiClient EMS platform that allows a threat actor to run unauthorised commands on the server by sending a specially crafted web request. Active exploitation of this vulnerability has been confirmed by threat intelligence reporting. This vulnerability class has historically been used by both ransomware groups and state-sponsored threat actors against Fortinet products.

Organisations using this platform to manage their endpoint devices may be at risk if they have not applied the latest software update. A patch is available and should be applied immediately.

Advisory Overview


Advisory Type Technical
Author Je’Marco Armbrister
Date 30 March 2026
What’s Happening


Affected Systems
  • FortiClient EMS version 7.4.4 — web (GUI) interface exposed to the internet
What this Means An unauthenticated threat actor can inject malicious SQL commands through the HTTP “Site” header targeting the FortiClient EMS web interface, enabling arbitrary code execution on the server. Successful attacks could result in full system compromise, lateral movement into internal networks, data exfiltration, or ransomware deployment.
What to Look For


Signs You May Be at Risk FortiClient EMS version 7.4.4 is deployed in your environment and the web management interface (GUI) is reachable from the internet or an untrusted network segment.
Signs You May Be Affected
  • Anomalous HTTP requests in web server logs containing unusual or encoded values in the “Site” request header
  • Unexpected outbound connections from the EMS server to unknown external IPs
  • New or modified user accounts, scheduled tasks, or services not created by your team
  • Signs of lateral movement from the EMS host into other internal systems.
What to Do


Prevention Apply the vendor patch immediately and restrict public access to the management interface.

  • Upgrade FortiClient EMS to version 7.4.5 or later immediately
  • If immediate patching is not possible, restrict external access to the FortiClient EMS web interface at the firewall level
Mitigation If exploitation is suspected, treat the EMS host as compromised and take the following steps:

  • Isolate the FortiClient EMS server from the network immediately and preserve logs
  • Monitor outbound network traffic from the EMS host for connections to unknown or suspicious external addresses
  • Review web server access logs for anomalous HTTP requests, focusing on the “Site” header field
  • Audit for new or modified accounts, scheduled tasks, services, and registry entries on the EMS host
Official Information


Refer to the following verified sources for patches and additional technical detail:

Should you require additional information or further support, submit a report on our website or contact us at [email protected].

Should you require additional information or further support, submit a report on our website or contact us at [email protected].

Best,

Je’Marco Armbrister
Security Operations Centre
National Computer Incident Response Team of The Bahamas

 

Scroll to Top
Skip to content